0

We are using Azure Application Gateway and WAF with detection mode enabled for now and for one of our web-applications what we are observing it is throwing SQL INJECTION ATTACK error message for URLS like:- /Quote/AddItemToCollection?_section=%27Vehicle%27.

Now this is a valid URL for our application and how can we avoid this false positive messages that are coming thru? as if we enabled the PREVENTION mode our web-app will not work. Any help on this guys (CRS 3.0 is enabled) but some URL's like these will be common where we use single tic and that show up.

any help to tackle this?

user42012
  • 722
  • 12
  • 33

2 Answers2

1

Perhaps, you could tune the rules or use custom rules.

For tuning the rules, you can enable WAF diagnostics to view more information on the rules that are being triggered on the WAF. You could download the diagnostic log files if they're stored in a storage account. You could find the error messages and why it was triggered such as the ruleID, Message details in the logs.

If after reviewing the logs you are able to determine that the entry is a false positive or the log captures something that is not considered a risk you have the option to tune the rules that will be enforced. Then you could search for the specific ruleID and un-select it. You could get more details from this good article.

You also could write your own rules to augment the core rule set (CRS) rules. Custom rules allow you to create your own rules that are evaluated for each request that passes through the WAF. These rules hold a higher priority than the rest of the rules in the managed rule sets. Read more details about Custom rules for Web Application Firewall.

Hope this could help you.

Community
  • 1
  • 1
Nancy
  • 26,865
  • 3
  • 18
  • 34
  • Thank you Nancy, this definitely helps me let me go thru the custom rules you mentioned above as that would really help the most! – user42012 Jun 11 '19 at 01:44
0

I had similar behavior: My solution was to enable and disable OSWAP rules until I knew what the false positive was. To do this in Azure go to the rules in the Web application firewall section. In my case I use OData which was identified by WAF as a vulnerability, the solution was to disable the rule "942360 - Detects concatenated basic SQL injection and SQLLFI attempts" and that's it..

carlosjavier_114
  • 51
  • 1
  • 4